Krux
March 16, 2026
Phishing Campaign Clones AWS Login, Steals MFA in 20 Minutes
Published: March 16, 2026 at 12:56 AM
Updated: March 16, 2026 at 12:56 AM
100-word summary
Datadog Security Labs uncovered an active phishing campaign that proxies AWS logins in real time, capturing both passwords and MFA codes as victims type them. The fake sign-in pages are pixel-perfect copies of Amazon's actual interface, complete with convincing OAuth flows and region-specific URLs like "us-west-2.console.aws.cloud-recovery.net." Here's the scary part: attackers logged into one compromised account within 20 minutes of the victim hitting submit. The setup treats your authenticator app like a speed bump, not a roadblock. The campaign runs admin panels on port 3000 where operators watch credentials roll in live. Hardware security keys (FIDO2) block this attack completely because they verify the actual domain, not just what it...
What happened
Datadog Security Labs uncovered an active phishing campaign that proxies AWS logins in real time, capturing both passwords and MFA codes as victims type them. The fake sign-in pages are pixel-perfect copies of Amazon's actual interface, complete with convincing OAuth flows and region-specific URLs like "us-west-2.console.aws.cloud-recovery.net." Here's the scary part: attackers logged into one compromised account within 20 minutes of the victim hitting submit. The setup treats your authenticator app like a speed bump, not a roadblock.
Why it matters
The campaign runs admin panels on port 3000 where operators watch credentials roll in live. Hardware security keys (FIDO2) block this attack completely because they verify the actual domain, not just what it looks like.